I am pleased to announce the availability of new consolidated patch for Integrated SOA Gateway in EBS R12.2 and EBS R12.1.3. This patch contains a new feature: REST support for Open Interface Tables. It also includes over four dozen fixes for stability and performance, and is highly recommended for all users.

This is a cumulative patch update that includes all previously released ISG updates for EBS R12.1.3.

These patches include critical bug fixes in Integrated SOA Gateway. They include major updates in REST service enablement of Open Interface Tables and Views. If you are using Open Interface Tables and Views as REST based web services with previous ISG consolidated patch, you are required to uptake this new consolidated patch.

I am pleased to announce that Oracle Access Manager 12c (12.2.1.3.0) and Oracle Internet Directory 12c (12.2.1.3.0) are now certified with E-Business Suite Releases 12.2.3 and higher and Release 12.1.3 and higher.

Note: We are currently in the process of certifying Oracle E-Business Suite Release 12.2.7 and higher with Oracle Unified Directory 12c. You may monitor or subscribe to this blog for the latest EBS technology certification announcements.

References

If you are implementing single sign-on for the first time, or are an existing Oracle Access Manager user, you may now integrate with Oracle Access Manager 12c using Oracle Access Manager WebGate and Oracle E-Business Suite AccessGate.

I'm pleased to announce Oracle Grid 12c Release 2 (12.2) is now certified when using Oracle 12c Release 12.1 Real Application Clusters (RAC) with Oracle E-Business Suite Release12.2. When using Oracle RAC 12.1 with Oracle E-Business Suite 12.2, you now have the option to use either Oracle Grid 12c Release 12.2 or 12.1.

Configuring Oracle Grid and shared storage is a mandatory requirement for deploying Oracle Real Application Clusters (RAC). Note that the Cluster Ready Services (CSR) ORACLE_HOME, other locations and commands may differ between the two Oracle Grid 12c Releases.

Here are our latest upgrade recommendations for E-Business Suite updates and technology stack components. These quarterly recommendations are based upon the latest updates to Oracle's product strategies, latest support timelines, and newly-certified releases.

The Critical Patch Update (CPU) for July 2018 was released on July 17, 2018. Oracle strongly recommends applying the patches as soon as possible.

The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents.

Supported products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.

The Critical Patch Update Advisory is available at the following location:

As with almost all previous Oracle E-Business Suite Critical Patch Updates (CPU), the July 2018 quarterly patch is significant and high-risk for PeopleSoft applications. Despite the publicity, marketing, or naming of specific vulnerabilities, this quarter is no different than previous quarters in terms of risk and prioritization within your organization.

For this quarter, there are 15 security vulnerabilities patches in PeopleSoft applications and PeopleTools --

10 - PeopleTools

2 - PeopleSoft Financials

2 - PeopleSoft HCM

1 - PeopleSoft Campus Solutions

11 of the 15 security vulnerabilities are remotely exploitable without authentication, therefore, an attacker can exploit the PeopleSoft without any credentials. For this quarter, there are 7 cross-site scripting vulnerabilities, 3 vulnerabilities in third-party libraries used in PeopleSoft, and 5 other types of vulnerabilities.

10 cross-site scripting (XSS) vulnerabilities and 4 other types of vulnerabilities fixed. Most important is that 13 of the 14 vulnerabilities are remotely exploitable without authentication.

For PeopleTools, only 8.55 and 8.56 are supported. Previous versions of PeopleTools must be upgraded in order to apply the security patches.

Tuxedo

Another vulnerability for Tuxedo JOLT (CVE-2018-3007) is fixed in this CPU, therefore, Tuxedo must also be patched. Configuration changes must be made to the Tuxedo server in order to limit connections to both JSH and WSH in order to reduce the risk of security vulnerabilities.

WebLogic

A number of vulnerabilities in WebLogic are fixed in this CPU including a vulnerability accessible via the T3 protocol. In addition to applying the appropriate WebLogic security patch, the WebLogic should be configured to only allow access to the HTTPS protocol.

Oracle Database

For the July 2018 CPU, only 11.2.0.4 and 12.1.0.2 are supported for security patches. For the database, there is a OJVM security patch, so either the combo patch must be applied or a separate OJVM patch must be applied to correct the vulnerability in the Java Virtual Machine (JVM) in the database which is used by PeopleSoft.

July 2018 Recommendations

As with almost all Critical Patch Updates, the security vulnerabilities fixes are significant and high-risk. Corrective action should be taken immediately for all PeopleSoft environments. The most at risk implementations are Internet facing environments and Integrigy rates this CPU as high risk due to the large number of cross-site scripting (XSS) vulnerabilities that can be remotely exploited without authentication. These implementations should apply the CPU as soon as possible or use a virtual patching solution such as AppDefend.

Most PeopleSoft environments do not apply the CPU security patch in a timely manner and are vulnerable to full compromise of the application through exploitation of multiple vulnerabilities. If the CPU cannot be applied quickly, the only effective alternative is the use of Integrigy's AppDefend, an application firewall for the Oracle PeopleSoft. AppDefend provides virtual patching and can effectively replace patching of PeopleSoft web security vulnerabilities.

As with almost all previous Oracle E-Business Suite Critical Patch Updates (CPU), the July 2018 quarterly patch is significant and high-risk. 51 of the past 55 quarterly patches are significant and high-risk as they fix one or more SQL injection vulnerabilities or other damaging security vulnerabilities in the web application of Oracle E-Business Suite. Despite the publicity, marketing, or naming of specific vulnerabilities, this quarter is no different than previous quarters in terms of risk and prioritization within your organization.

For this quarter, there are 10 cross-site scripting (XSS) vulnerabilities and 4 other types of vulnerabilities fixed. Most important is that 13 of the 14 vulnerabilities are remotely exploitable without authentication.

Externally facing Oracle E-Business Suite environments (DMZ) running iStore should take immediate action to mitigate the three vulnerabilities impacting iStore. These web pages are allowed by the URL Firewall if the iStore module is enabled. Two of the three are cross-site scripting (XSS) vulnerabilities, which requires interaction with the end-user such as clicking a link but allows for the attacker to hijack the end-users session.

July 2018 Recommendations

As with almost all Critical Patch Updates, the security vulnerabilities fixes are significant and high-risk. Corrective action should be taken immediately for all Oracle E-Business Suite environments. The most at risk implementations are those running Internet facing self-service modules (iStore for this CPU) and Integrigy rates this CPU as high risk due to the large number of cross-site scripting (XSS) vulnerabilities that can be remotely exploited without authentication. These implementations should (1) apply the CPU as soon as possible or use a virtual patching solution such as AppDefend and (2) ensure the DMZ is properly configured according to the EBS specific instructions and the EBS URL Firewall is enabled and optimized.

Most Oracle E-Business Suite environments do not apply the CPU security patch in a timely manner and are vulnerable to full compromise of the application through exploitation of multiple vulnerabilities. If the CPU cannot be applied quickly, the only effective alternative is the use of Integrigy's AppDefend, an application firewall for the Oracle E-Business Suite. AppDefend provides virtual patching and can effectively replace patching of EBS web security vulnerabilities.

Oracle E-Business Suite 12.1 and 12.2 Patching

For 12.2, there are no significant changes from previous CPUs and 12.2.3 along with R12.AD.C.DELTA.10 and R12.TXK.C.DELTA.10 roll-up patches is the minimum baseline. In addition to the cumulative EBS security patch, the July 2018 WebLogic 10.3.6 PSU must be applied (PSU 10.3.6.0.180717 - Patch 27919965).

For 12.1, there are no significant changes from the previous CPUs and the major requirement is the Oracle Application Server must be upgraded to 10.1.3.5. No security patches are required for the Oracle Application Server.

Only 12.1.0.2 and 11.2.0.4 versions of the Oracle Database are supported and the database must be upgraded in order to apply this quarter's database security patch if it has not already been upgraded. For the database there is a OJVM security patch, so either the combo patch must be applied or a separate OJVM patch must be applied to correct the vulnerability in the Java Virtual Machine (JVM) in the database which is used by Oracle E-Business Suite.

Oracle E-Business Suite 12.0

CPU support for Oracle E-Business Suite 12.0 ended January 2015 and there are no security fixes for this release. Integrigy’s initial analysis of the CPU shows all 14 vulnerabilities are exploitable in 12.0. In order to protect your application environment, the Integrigy AppDefend application firewall for Oracle E-Business Suite provides virtual patching for all these exploitable web security vulnerabilities.

Oracle E-Business Suite 11i

As of April 2016, the 11i CPU patches are only available for Oracle customers with Tier 1 Support. Integrigy’s analysis of the July 2018 CPU shows at least 6 of the 14 vulnerabilities are also exploitable in 11i. 11i environments without Tier 1 Support should implement a web application firewall and virtual patching for Oracle E-Business Suite in order to remediate the large number of unpatched security vulnerabilities. As of July 2018, an unsupported Oracle E-Business Suite 11i environment will have approximately 200 unpatched vulnerabilities – a number of which are high-risk SQL injection security bugs.

11i Tier 1 Support has been extended through December 2018, thus October 2018 will be the final CPU for Oracle E-Business Suite 11i. At this time it is unclear if Oracle will again extend support for another year, therefore, organizations should plan that support will not be extended and being to take corrective action to ensure their environments are properly secured.

The use of the SAN field in a certificate request (CSR) allows you to specify multiple host names to be protected by a single public key certificate. Use of SAN will also allow using a single certificate for multiple domains.

A Wildcard Certificate is a public key certificate that can be used with multiple sub-domains of a domain.

Note: The latest releases of some browsers (e.g. Google Chrome) now require a SAN extension. Check your browser to determine if SAN is required.

How do you deploy SAN or Wildcard Certificates?

In the CSR SAN field, you may use the subjectAltName value, and optionally also use the wildcard character:

Example 1: SAN field entry for the CSR:

subjectAltName = DNS:www.example.com,DNS:example.com

Example 2: SAN field entry with a wildcard for the CSR:

subjectAltName = DNS:*.example.com

If you have already enabled TLS, you may need to redo your CSR using the SAN field. Check with your CA regarding their specific requirements for adding SAN. If you have not enabled TLS, simply follow the instructions for doing so, using the SAN field accordingly.

Note: We highly recommend that all customers migrate to TLS. If you have not already migrated to TLS, please do so as soon as possible.

For complete instructions, refer to the following My Oracle Support Knowledge Document:

These updates are provided in cumulative Release Update Packs, and cumulative Bundle Patches that can be applied on top of the Release Update Packs. In this context, cumulative means that the latest RUP or Bundle Patch contains everything released earlier.

The latest OAF update for Oracle E-Business Suite Release 12.2.6 is now available:

Web-based content in Oracle E-Business Suite Release 12 runs on the Oracle Application Framework (also known as OA Framework, OAF, or FWK) user interface libraries and infrastructure. Since the initial release of Oracle E-Business Suite Release 12.2 in 2013, we have released a number of cumulative updates to Oracle Application Framework to fix performance, security, and stability issues.

These updates are provided in cumulative Release Update Packs, and cumulative Bundle Patches that can be applied on top of the Release Update Packs. In this context, cumulative means that the latest RUP or Bundle Patch contains everything released earlier.

The latest OAF update for Oracle E-Business Suite Release 12.2.5 is now available:

Do you want to know all about 1Z0-932 certification?? [Blog] Oracle Cloud Infrastructure 2018 Architect Associate – 1Z0-932 Want to know the pattern for the exam? or Want to know the Important points to keep in mind while going for the exam and the resources you can refer for understanding the concepts? Visit the link […]

The following enhancements have been made to the Oracle E-Business Suite Release 12.2: Using Rapid Install Guide:

Reorganized and simplified chapters and steps

Removed the Upgrade chapter which is now incorporated directly in the related Oracle E-Business Suite Release 12.2 Upgrade Guide

Reduced the number of self references and external references and confirmed all remaining references

Leveraged new documentation tags for actionable references and steps

If you are already working on a Oracle E-Business Suite 12.2 installation, there's no need to switch to the recently updated Rapid Install Guide. If you are getting ready to start an installation, be sure to use the latest updated guide.

Web-based content in Oracle E-Business Suite Release 12 runs on the Oracle Application Framework (also known as OA Framework, OAF, or FWK) user interface libraries and infrastructure. Since the initial release of Oracle E-Business Suite Release 12.2 in 2013, we have released a number of cumulative updates to Oracle Application Framework to fix performance, security, and stability issues.

These updates are provided in cumulative Release Update Packs, and cumulative Bundle Patches that can be applied on top of the Release Update Packs. In this context, cumulative means that the latest RUP or Bundle Patch contains everything released earlier.

The latest OAF update for Oracle E-Business Suite Release 12.2.4 is now available:

We have just released four new enhancements for Concurrent Processing in E-Business Suite 12.1.3:

Storage Strategies for Log and Output File Locations: Create custom storage strategies for management of large numbers of concurrent processing log and output files. Customers can specify the strategy that best suits their particular needs. These strategies are called schemes.

Output File Naming Strategies: The output file naming conventions are now based on USER.REQID and REQID.OUT. The old USER format is desupported.

Timed Shutdown: submit a normal, graceful shutdown and also specify a number of minutes after which an Abort command will be executed. After this number of minutes has passed, and Concurrent Processing has not yet shut down, the graceful shutdown will be converted to an Abort, and all remaining Concurrent Processing processes will be aborted.

64-bit Java Support for the Output Post-Processor Service: A 64-bit Java Virtual Machine (JVM) is now supported for the Output Post Processor (OPP). This support allows for a larger heap size to be set, compared to the 2G heap size that 32-bit Java allows. This larger heap size will decrease out-of-memory errors. Note that the 64-bit JVM can be run for the OPP service only.

The official word on all EBS certifications is the Certifications database on My Oracle Support (MOS):

Since I announce all of my team's certifications here on this blog, I've also created a one-page summary of all blog articles covering EBS technology stack certifications. This summary page is maintained manually, so if there's any gap between the MOS Certifications database and this summary, the Certifications database wins.

Our blogging engine has changed multiple times over the years, so the URL for the Certifications summary has also changed periodically. The Certifications summary lives here now - update your bookmarks: